RSA Confirms Emergence of Alternative to Zeus in Underground of Cybercrime

Security researchers of security firm RSA have revealed a new banking Trojan for sale in underground forums which is being marketed as replacement of Zeus Trojan.

The new Trojan is called Pandemiya and it is similar to Zeus. According to Fraud Action team of RSA, it allows cybercriminals to steal form data, login credentials and files from infected computers.

SecurityWeek published a report on 10th June, 2014 quoting Uri Fleyder, Cybercrime Research Lab Manager of RSA Research Group, as saying "Pandemiya like Zeus also has a modular design making it quite easy for cybercriminals to expand and add functionality."

Pandemiya has all the capabilities which are usual among banking trojans like injecting fake elements into websites, capturing screenshots of the computer screen of user and encrypting its communications with the control panel.

This new-flangled tool does not recycle any of the formerly leaked Zeus code which is not like same offers. RSA notes that the creator of this tool spent over a year to create it and it contains in excess of 25,000 lines of unique code in C. The fraudsters behind Pandemiya are presently advertising it for sale at a price of $1500 USD for the core application and $2000 USD with plug-ins for additional functionality.

Interestingly, Pandemiya includes defensive measures which help it to avoid being detected. One of the defenses offered by Pandemiya's author is the signing of the botnet files which will guard it from being analyzed by researchers and law enforcement and also save it from being hijacked by other criminals.

Pandemiya has an investigational feature which assures an infection vector via FB but RSA's researchers did not confirm that it works. If it performs, then probably there may be a revival of Koobface-type infections if Pandemiya takes-off. Another experimental trait is a reverse-hidden RDP module but like FB module, it's not known if it works.

Threatpost.com reported on 10th June, 2014 quoting Fleyder as saying "These days many Trojan are using social networks (in the past most of them have been relying on instant messaging services like ICQ and Windows Messenger) to spread exploiting the trust of human ("friends" in social networks) which is a classic example of social engineering."